hacktricks/mobile-apps-pentesting/android-checklist.md

Android APK Checklist

Learn Android fundamentals

• Basics
• Dalvik & Smali
• Entry points
  • Activities
  • URL Schemes
  • Content Providers
  • Services
  • Broadcast Receivers
  • Intents
  • Intent Filter
• Other components
• How to use ADB
• How to modify Smali

Static Analysis

• Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
• Sensitive applications like bank apps should check if the mobile is rooted and should actuate in consequence.
• Search for interesting strings passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids....
  • Special attention to firebase APIs.
• Read the manifest:
  • Check if the application is in debug mode and try to "exploit" it
  • Check if the APK allows backups
  • Exported Activities
  • Content Providers
  • Exposed services
  • Broadcast Receivers
  • URL Schemes
• Is the application saving data insecurely internally or externally?
• Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
• All the libraries compiled using the PIE flag?
• Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.

Dynamic Analysis

• Prepare the environment [online](android-app-pentesting/#online-dynamic-analysis), [local VM or physical](android-app-pentesting/#local-dynamic-analysis)
• Is there any unintended data leakage logging, copy/paste, crash logs?
• Confidential information being saved in SQLite dbs?
• Exploitable exposed Activities?
• Exploitable Content Providers?
• Exploitable exposed Services?
• Exploitable Broadcast Receivers?
• Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
• Inspect HTTP/HTTPS traffic
  • This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities Hacktricks has a lot of information about Web vulns.
• Check for possible Android Client Side Injections probably some static code analysis will help here
• Frida: Just Frida, use it to obtain interesting dynamic data from the application maybe some passwords...

Some obfuscation/Deobfuscation information

• Read here

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, ****join the 💬 ****PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don't forget to give ⭐ on the github to motivate me to continue developing this book.

​Buy me a coffee here****